MikroTik

Gomo

are there supposed to be hits on DST NAT rules for traffic that is not permitted by the FW? Yes, there are. According to packet flow , DST-NAT is part of pre-routing ... and firewall filter rules are part of either input or forward packet path ... which both come after pre-routing. Sometimes it's p...

Gomo

I do have following (besides 3 mentioned ones) /ip/firewall/filter/ add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN And, no, unfortunately I cannot share the whole config -> hence why I wrote example FW rules. I won't even go into "why would someone open ports&q...

Gomo

Hello all, I am struggling to understand why I am getting DST NAT rule hits on traffic that is blocked by the firewall. For example, with following config: /ip/firewall/filter/ add chain=forward src-address=100.100.100.100 dst-address=192.168.200.10 dst-port=22 protocol=tcp action=accept /ip/firewal...

Gomo

Hello, I am struggling to find information on which mobile modem / OOB I can use with CCR1009-7g-1c-1s+ (via USB?). Since I am on a time schedule I would like to avoid whole trial and error thing and would greatly appreciate your suggestions. If you have used specific ones / which one / does it work...

Gomo

root@rpi3:~# ip neighbor 192.168.100.44 dev wlan0 lladdr d2:10:ab:b3:ae:29 STALE 192.168.100.53 dev wlan0 lladdr 1a:74:79:65:61:ba STALE 192.168.100.2 dev wlan0 lladdr b2:40:c8:09:7d:ad STALE 192.168.100.31 dev wlan0 lladdr 36:b1:f6:83:25:5f STALE 192.168.100.65 dev wlan0 lladdr de:fb:3c:3e:d4:30 S...

Gomo

Now looking at the config export, I have no clue why, but things clearly didn't get exported properly. There is a default route to 10.30.30.6 yet the config export didn't show it. I re-added it and now it shows in the export... strange. Clients in 10.30.30.2 and 10.30.30.3 do have internet access (+...

Gomo

Here's the current R2 config: # 2024-04-15 23:10:36 by RouterOS 7.12.1 # software id = JYVA-SF64 # # model = RB760iGS # serial number = HD50802B0EP /interface bridge add admin-mac=18:FD:74:AA:5A:C4 auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=sfp1 ] arp=proxy-a...

Gomo

The local firewall was disabled before testing. Does the highlighted log entry on R2 indicate anything?

Gomo

I spoke a bit too soon. The ICMP does work, but for example SSH does not (no matter if the suggested route entry is there or not). Yes, R1 does have an ARP entry now. Do I need to enter the port range for my dst-nat rule? although, I thought leaving it empty would mean that all 65535 ports are inclu...

Gomo

After changing the suggested ARP setting for "sfp1" interface, things started to work. [admin@MikroTik] > ip/arp/print Flags: D - DYNAMIC; C - COMPLETE Columns: ADDRESS, MAC-ADDRESS, INTERFACE # ADDRESS MAC-ADDRESS INTERFACE 0 DC 192.168.88.254 B8:27:EB:31:6A:60 bridge 1 DC 10.30.30.6 2C:C...

Gomo

Same as before: [admin@MikroTik] > ip/arp/print Flags: D - DYNAMIC; C - COMPLETE Columns: ADDRESS, MAC-ADDRESS, INTERFACE # ADDRESS MAC-ADDRESS INTERFACE 0 DC 10.30.30.6 2C:C8:1B:03:CE:9C sfp1 1 DC 192.168.88.254 B8:27:EB:31:6A:60 bridge 2 D 10.30.30.2 sfp1 I don't see why I would get an ARP entry f...

Gomo

Did that, unfortunately no change. (download/file.php?id=65963)

route-entry.png

Gomo

Please right click on the image and "open image in new tab", it should show it in full size.
Or use this link for the last screenshot which I attached download/file.php?id=65961

Gomo

Disabling all "drop" FW rules (including the !LAN one) sadly didn't change anything.

Gomo

I did not mention it but of course the 192.168.88.254 is reachable from MT R2.

Gomo

Thanks for the suggestions. I did try "dst-nat" before I even tried "netmap" but I was getting same results. I have disabled the netmap rules and configured what you suggested (except that I used 10.30.30.2, instead of 10.30.30.1 as it is assigned to the MT R2). dst-nat.png 10.30...

Gomo

From my understanding "netmap" should be the fitting option here, only difference being that I use it for single IP translation and not networks. I tried with the same configuration using destination NAT, but nothing really changed. netmap.png As for the R1 config, I am not comfortable exp...

Gomo

Hello all, I have a 1:1 NAT related question. I've been trying to test it out at home as I will be moving on server to a DC and need to basically know how to do it before that happens. For those purposes I've created 2 new networks (10.30.30.0/29 and 10.30.40.0/29) which should represent two public ...

Gomo

Hello kd7vea,

I have the exact same server and was planning on purchasing the exact same router. Did you manage to solve mentioned problems? Would you recommend this solution or did you go with something else in the end?

Thank you.

Gomo

Anyone?

Gomo

Doing the opposite (whitelisting) is much harder than blacklisting. It's easy to break windows updates from functioning

Gomo

Hello all, I would like to restrict a group of clients to only have access to windows updates. They're all in the same network (nothing fancy or complex), behind a MikroTik router. I tried implementing various solutions (using regex, address lists with MS IPs & FQDNs, etc.) but there's always so...

Gomo

Hello, for those who have experience with pfsense / opnsense and similar solutions, I was wondering if I could add (for example) opnsense in-path between my ISP modem and MikroTik router without disrupting my MT firewall, or well, mainly port forwarding, subnets, etc. I would like to do this in orde...

Gomo

- The DNS was changed due to testing related to the dyndns. - About the interface name change "ether1", I think you must've missed something (the "Uplink" thing you saw was just a comment), because the name change was done via WinBox and it is reflected everywhere. - About the DH...

Gomo

Thank you. I've made some adjustments (nothing major, just the IP ranges and removed the emergency access part) and tested it at home. Here's the config export: /interface bridge add name=bridgeWG /interface ethernet set [ find default-name=ether1 ] comment=Uplink /interface wireguard add listen-por...

Gomo

If after all these years being on this forum (and I assume others) and not seeing what was meant and correlating that with arrogance.. oh boy. About the config suggestion .. I don't understand why you would put eth3,4,5 in a different subnet? add address=192.168.20.1/24 interface=bridge-WG network=1...

Gomo

Confident of my skills...still a bit in doubt...going to react anyway (sorry anav): I was being facetious LOL, perfectly within the skillset but no guarantees. Have at it! If one wants to add conditions on to post, I simply direct this way -------------------> https://mikrotik.com/consultants Someh...

Gomo

Pretty much whole ISP / destination subnet (192.168.100.0/24) should be reachable via the tunnel. "10.10.10.2" is a "remote worker" who needs to access internal resources, such as 192.168.100.2,3.4.5. Unfortunately the ISP modem cannot be in bridge mode. I know that having everyt...

Gomo

Hello
P.S. I would appreciate if you would only write suggestions if you're confident in your skills
Counts me out, I'm a cat person anyway.

If I were asking for whom this doesn't apply, we would see a bit more activity. But nice of you to share this useful piece of information.

Gomo

Hello all, I need assistance with a MT wireguard setup in non-MT network with basic ISP modem / router (means, very little configuration possible on the ISP modem / router side). I would like to add a MT router inside of a small local network and make it reachable from outside. "Outside" b...

Gomo

Hallo, we have a customer that has a similar setup. The ISP put a Fritzbox after the ONT, to provide VoIP Service to one VoIP phone in the 192.168.178.0/24 subnet. The use your own firewall the ISP configured an expose host and a second /30 subnet on port 4 or port 1, i can't rembemer. The firewall...

Gomo

on the IP address assignment to be consistent make the interface bridge-guest instead of wlan3?? small point on dst nat, it appears as if you have a static fixed WANIP based on your dst nat rule. In this case the generic Sourcenat rule (second rule after hairpin nat) should be in the form add actio...

Gomo

Hello all, I'm trying to setup a separate SSID, alongside my 2 local-home SSID's (2.4GHz & 5 GHz) and 1 guest SSID, in which all the traffic would go through a VPN tunnel. I can connect to the newly created "Test" SSID, and I do get an IP assigned (from 192.168.102.0/27 subnet), but my...

Gomo

I followed your tips as suggested, but it didn't work..

Gomo

Maybe you didn't provide an explanation & answer my questions? Even though I asked multiple times. I do not follow "random" suggestions without an explanation. If you can't provide one, how can I be sure I'm not configuring nonsense. Hope you understand.

Gomo

What happen if you have two separate interfaces (ether1 and bridgeLocal) with same address? (yes, is administrative access to the bridge) 1. So, should I enable "ether1" OR change the bridgeLocal MAC? You can not reach the configuration pages with 109.?0.15?.2?9 instead? 2. No I cannot, I...

Gomo

Full read what someone write, not only the first line.... Must be the MAC of ether2 readed now? You have removed (disabled) the ether1 from bridgeLocal, but you do not have changed the admin MAC with one of ethernet presents (still active) on the bridge (ether2). No need to get upset, I'm reading w...

Gomo

The MAC address matches.. WAN (connection to the ISP modem) of the MikroTik router is ether1, as it should be.

bridgeLocal_MAC.png

Gomo

On bridgeLocal the admin MAC still the same of ether1 MAC?
Change that MAC with eterh2 MAC

I'm not sure I understand what you're saying.. "bridgeLocal" - "Admin. MAC Address should be changed? what effect would that have?

bridgeLocal.png

Gomo

Are you sure that that modem's webpage is accessible for you? It's on public address so maybe ISP has restricted access to it? At the moment I have hidden wifi running on my ISP's modem so that I can make changes when needed. That's because it's running on the ISP's modem, so that I have access to ...

Gomo

/export hide-sensitive file=anynameyouwish

config.rsc

there it is

Looking forward to your suggestions!

Gomo

Anyone?

Gomo

Are you sure that that modem's webpage is accessible for you? It's on public address so maybe ISP has restricted access to it? I forgot to mention that the ISP's modem can be pinged from LAN via it's local IP (ping from my PC 192.168.100.10 to 192.168.178.1 for example). At the moment I have hidden...

Gomo

Hello all, I've seen similar threads to mine, but couldn't find (or was too dumb to implement) a working solution for my scenario. My setup: Internet -> ISP Modem (static public IPv4 X.X.X.a & 192.168.178.0/24) -> MikroTik (static public IPv4 X.X.X.b) -> LAN (192.168.100.0/24). The MikroTik rout...

Gomo

The reason RB4011 originally had lower signal strength than your old Fritz is that RB is conforming to your country regulations while old Fritz does not. By setting to "superchannel" and "no_country_set" you're in violation of said regulations (again). FritzBox is a router / com...

Gomo

Update: I've changed the WiFi configuration to this: good-wifi-covrage.png And now my 2.4GHz as well as the 5GHz covrage is even better than it was with the FritzBox 6490. Both 2.4 and 5 GHz frequency ranges are within what's allowed in my country. Now, I'm a tiny bit worried about the strenght .. I...

Gomo

I cannot get the same performance nor the range out of the Mikrotik router. Well, what performance you got before and now? Try the following changes, For installation, you should use Any not indoor, that should give you more channels to select. Change the 5Ghz band to N and AC only. In advanced mod...

Gomo

Hey there! I've recently purchased 'RB4011iGS+5HacQ2HnD-IN' router as a replacement to my FritzBox 6490. The thing is, no matter how much I play around with the frequencies, channels and whatnot, I cannot get the same performance nor the range out of the Mikrotik router. Does anyone have any tips? I...

Gomo

Yap, it works well!

fw-filter.png

I'll change it now so that it'll be valid for whole /24 network. Thanks for the help!

Gomo

Try to instead of redirect, drop on firewall filter forward the direct connections from "pool of smartphone ip" to the IP 8.8.8.8 and 8.8.4.4 On this way probably the device must be forced to use internal provided IP from DHCP Server Would like to give it a try, just not sure about the ru...

Gomo

Following did the trick: /ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.100.2 protocol=udp src-address=!192.168.100.2 dst-address=!192.168.100.2 dst-port=53 in-interface=bridge /ip firewall nat add chain=srcnat action=masquerade protocol=udp src-address=192.168.100.0/24 dst-ad...

Gomo

You mentioned slaac assigned by the mobile connection. Noone said it was "assigned by the mobile connection", the smartphone uses slaac to assign itself an IPv6 in the local network. This is not the case just with my phone (huawei p40 pro), the same behaviour was observed with 3 others as...

Gomo

To prove your theory, disable mobile data on the phone to see what happens. You should really post your export so everyone can see the whole config. Aren't the torch results enough? It clearly shows queries towards google DNS inside of the local network. Why would mobile data traffic show on the ro...

Gomo

Hello all! I'm new to this community and MikroTik products in general. I've decided to go with a "RB4011iGS+5HacQ2HnD-IN" since my IPS router started annoying me. To keep this short as possible, I have a public static IPv4 address and a IPv4 /24 home network where all my devices are connec...

Search found 54 matches